Startup Design and Analysis Note 


This application note is based on a article published in the March, 1997 edition of EEE Links 
r litt p ://tk. tisfc nasa . gov/ho me p age/ Paners/ece links/9703 eee.htm j. This note is being published to 
improve the visibility of this subject, as we continue to see problems surface in designs, as well 
as to add additional information to the previously published note for design engineers. 

The original application note focused on designing systems with no single point failures using 
Actel Field Programmable Gate Arrays (FPGAs) for critical applications. Included in that note 
were the basic principles of operation of the Actel FPGA and a discussion of potential single- 
point failures. The note also discussed the issue of startup transients for that class of device. It is 
unfortunate that we continue to see some design problems using these devices. This note will 
focus on the startup properties of certain electronic components, in general, and current Actel 
FPGAs, in particular. Devices that are "power-on friendly" are currently being developed by 
Actel, as a variant of the new SX series of FPGAs. 

In the ideal world, electronic components would behave much differently than they do in the real 
world. The chain, of course, starts with the power supply. Ideally, the voltage will immediately 
rise to a stable V C c level; of course, it does not. Aside from practical design considerations, 
inrush current limits of certain capacitors must be observed and the power supply's output may 
be intentionally slew rate limited to prevent a large current spike on the system power bus. In 
any event, power supply rise time may range from less than 1 msec to 100 msec or more. 

For digital logic, a "popular methodology" is to have fully synchronous designs. Again, in the 
ideal world, the clock oscillator will start immediately upon the application of power, with well- 
formed edges, rail-to-rail swings, no dropouts, and a stable frequency. However, crystal 
oscillators do not start instantaneously. From Horowitz and Hill's The Art of Electronics. 2nd 
Edition: 


... However, because of its high-resonant Q, a crystal oscillator cannot start up 
instantaneously, and an oscillator in the megahertz range typically takes 5-20 ms 
to start up; a 32 kHz oscillator can take up to a second (Q = 10 5 ). ... 

A few different oscillator models have recently been tested and their characteristics varied 
widely. Some oscillators would output garbage with increasing amplitude as the power supply 
rises and it starts; some would start rather quickly; a space-flight qualified oscillator took a 
significantly longer time to start. When the unit starts to oscillate, dropped pulses and varying 
pulse widths were observed. Additionally, for the flight model oscillator (200 kHz), the start 
time was not specified on the data sheet. Measurements showed that for that oscillator, start time 
was a linear function of power supply rise time, when measured with tRj SE varying from 1 msec to 
200 msec, the limits of our tests. So, for critical subsystems, the specifications of the oscillator 
on startup must be known and the system environment, including power supply rise time, must 
be compliant with the test conditions on the oscillator's data sheet to guarantee in-spec 
performance. Following this, the time constant of the power on reset circuit can be determined, 
ensuring that the system is in a safe state when the oscillator starts and is stable. Additionally, 
the logic design must go to a safe state assuming that either no clock is present or that an out-of- 
control clock is present during the startup transient. A fully synchronous logic design cannot 
perform that function. 
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Figure 2. Summary of start time of a space-qualified 200 kHz oscillator as a 
function of power supply rise time at 10°C. 
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For programmable logic devices, depending upon the type, the startup characteristics of the 
power supply can affect the behavior of some programmable devices. Devices with internal 
Power On Reset (POR) circuits such as some FPGAs and configuration memories may require 
that a minimum slew rate on the power supply be met as well as a monotonic increase in the 
supply voltage The UTMC PAL requires that no voltage is present on the device before power 
up [see http:/7tk. g sfc.nasa .go v/rich c on teni/pals.Tixl Pow e r U p. htm l or the device may be placed into a test 
mode. Current Actel FPGAs [as of this writing, May 1999] may have inputs that behave as 
outputs or outputs that do not follow their truth table during startup. The behavior of the Actel 
devices will be the topic of this rest of this application note. However, in any technology, 
including SRAM-based FPGAs and some JTAG circuits, the configuration of the device during 
the startup transient must be taken into account to provide a safe design for critical systems. 

Charge pumps are used in Actel FPGAs to bias the transistors (high voltage n-channel FETs) that 
isolate modules of the logic and I/O cells during programming and connect them in normal 
operation. The pump produces a voltage higher than V C c to ensure that the FETs are fully on and 
can pass a logic T. Since the pump takes a finite time to ramp up and turn on the FETs, the 
device may not behave properly until the pump is up and the system is stable. This amount of 
time is a function of the device model, its particular lot and unit, radiation degradation and 
annealing time, and slew rate of the power supply, among other factors. 

Additionally, test results show that the startup characteristics are also a function of the device's 
recent history. In particular, the amount of time since the device was last powered down can 
affect the startup transient. In a laboratory test supporting a recent space-flight failure 
investigation, a set of devices (three units each of A1020B and A1020) "glitched" after a cold 
start and the flip-flops of interest powered up to Ts. After only a brief shutdown, glitches were 
not observed and the flip-flops powered up to the opposite state. A complete characterization of 
this memory effect is difficult at best and is not considered practical. 

This behavior is in contrast to full digital CMOS devices, which generally have I/O pins that 
behave well and follow their truth tables at quite a low voltage. Currently, some Actel FPGA I/O 
modules that have been programmed as inputs may behave temporarily as outputs that are in the 
logical T state and may temporarily source current into the drivers connected to them. Device 
outputs are also not guaranteed to follow their truth tables and may source current at startup, 
although they "logically" should be sinking current to produce a logic 'O', as is frequently used in 
power-on reset circuits. The time period for the startup transient depends on the power supply 
slew rate and other factors, including radiation exposure and annealing. 

The figure below shows the power-up characteristics of a flight spare FPGA. In this picture, two 
of the outputs are shown to first spike high and then latch into the high state; subsequently a 
clock pulse would correctly clear the flip-flop. Following power cycles would not re-produce 
this behavior and both outputs would remain low with no glitches. After hours in the powered- 
off state, the glitches would return and the outputs would latch high. Interestingly, after a power 
on-off cycle, the voltage was ramped at the very low rate of just under 1 volt/sec. This produced 
both glitches and the outputs were latched high (waveforms not shown). 



Startup Design and Analysis Note 


> > u 

TD 

TD 

N O O 

:> o s= 
o — 

o hO 
o ' — 

CN O 
O 

in O 

T- O — 

CL 


> > O 
— > TJ 
TD 

o a 

> o o 
O ID 

O CD 
O — 

CN O 

o 

co o 
N o - 

CL 


> :> o 

— TD 
TD 

\ o c* 

> o r 
o — 

o to 
o — 

cm o 
o 

co o 

CO o ^ 

CL 


X 3 

O 

JZ 


a) 

co 

CO CD 

--< co 

L_ TD 
H LU 


GO 

V-i 

o 

<N 

h <5 

<e 

(N Cd 


<D = 


O 

o 

ID 

CN 



(D 

> 

o 

U 


u 

u 

> 


o 

o 

<N 

O 


cd 

cd 

C/5 


xi 

o 


cd = 


W) 


C 

O 

*c 

o 

X 


<D 


c 

o 

• 1 — < 

cd .22 

CD > 
C/5 .!_< 

s ^ 
s ^ 

(N cl 


T3 

<D 

• 1—4 

& 

<d 

cd 

cd 

a, 

C/5 

cd 

<+H 

o 

+-» 

a 

<D 

GO 

s 

J3 

c 

0 

1 

CD 

£ 

O 

Oh 

rn 

<D 

Li 

fcJQ 


<D .=5 

^ O 

cd 

C/5 

- , © 
•r! (N - — i 
X O 

o .22 >> 

fa CD 

fa< 0) Lh 
Oh ^ ft-i 

cd cd o 

CD ■ 

CO C/5 
TO 


cd 


Ph 

o 


CD 


CD 

CO fa .23 

S CL 

«* Cd 
— i C ^ 

ft o fe 

~ ‘2 <£ 
> «* 
*15 *3 03 

a> cd 
^ l rv 

!&£ 

a 8 § 

cO co *-< 

F c xj 


'£ | 
> CL 


Li 

>> 


CL 

3 

co 


<+H 


tr> 


3 

O 


ft o .22 ^ 



Startup Design and Analysis Note 


Actel FPGAs, as do some other manufacturer's devices, need time to 'start' and care must be 
exercised for any critical spacecraft function implemented with FPGAs (or other components 
such as oscillators). This is a real problem and analysis of system startup is critical In 
particular, here are some examples of system level failures: 

• A motor controller FPGA powered up with all outputs high, resulting in high currents, 
ultimately blowing the fuses in the power supply. 

• An instrument controller FPGA powered up in an illegal configuration, forcing latching 
relays into an undesired state. 

• A pyrotechnic controller FPGA had only a synchronous reset function and did not gate 
the outputs of the device during the power-on transient. A combination of these effects 
resulted in pyrotechnic devices firing at an inappropriate time. 

Any design that directly connects the inputs or outputs of currently available Actel FPGAs to 
critical spacecraft controls could result in hardware that malfunctions on power-up without any 
failure of the FPGA. Some precautions that may be taken include: 

1 . Do not attach an FPGA input to the analog part of a power-on reset circuit. 

2. Buffer and isolate the FPGA outputs from any critical spacecraft controls that require 
proper operation during the startup transient. 

3. Provide appropriate error detection/correction/fail-safe and isolation schemes for 
applications that require tolerance to single point failures. For certain reliability levels, 
this may require putting redundant functions in separate IC packages, as is frequently 
done with discrete device designs. 

Two relevant Actel application notes have been put on-line at our www site and may be accessed 
by the following links: 

http://rk.gsfc. nasa.gov7richcontent / fpga conlent/DesignNotes/BoardLevelConsiderationsForActeirPGAs .pdf 


http://rk.gsfc. nasa.gov/richcontent/fnga content/DesignNotes/PtnverOnReset.pdf 
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The purpose of this NASA Parts Advisory is to alert the NASA community of 
application concerns with Field Programmable Gate Arrays (FPGAs) made by Actel 
Corporation (CAGE Code: 0J4Z0) of Sunnyvale, CA. In particular, system 

designers are reminded of the need to consider the startup behavior 
characteristics of these devices to prevent unwanted or unexpected turn on 
states from occurring. This Advisory is based on an article published in the 
March 1997 edition of NASA's EEE Links Newsletter : 

http : //misspiggy . gsf c . nasa . gov/ctre/hq/ eee_links 

This article may also be found at: 

http: //rk . gsf c . nasa . gov/home_page/Papers/eee_links/9703_eee . htm 

This issue is being published as a NASA Parts Advisory to improve the visibility 
of this subject, as problems continue to surface in designs, as well as to add 
additional information to the previously published note for design engineers. 
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BACKGROUND : 


The original application note from the EEE Links article focused on designing 
systems with no single point failures using Actel FPGAs for critical 
applications- Included in that note were the basic principles of operation of 
the Actel FPGA and a discussion of potential single-point failures. The note 
also discussed the issue of startup transients for that class of device. It is 
unfortunate that some designs continue to experience problems using these 
devices. This Advisory focuses on the startup properties of all Actel FPGA 
families produced up to the date of this Advisory which includes the following 
Actel device series: 

Actel FPGA Device Families Susceptible to Startup Anomalies 


ACT 

1 

XL 

ACT 

2 

MX 

ACT 

3 

SX 


DX 

Please note that Actel is currently developing devices that are Tl power-on 
friendly", as a variant of the new SX series of FPGAs. The product name for 
this upcoming series is not yet known. 

For programmable logic devices, depending upon the type, the startup 
characteristics of the power supply can affect the device behavior. Devices 
with internal Power On Reset (POR) circuits such as some FPGAs and configuration 
memories may require that a minimum slew rate on the power supply be met as well 
as a monotonic increase in the supply voltage. Current Actel FPGAs [as of this 
writing, May 1999] may have inputs that behave as outputs or outputs that do not 
follow their truth table during startup. In any technology, including SRAM- 
based FPGAs and some JTAG circuits, the configuration of the device during the 
startup transient must be taken into account to provide a safe design for 
critical systems. 

Charge pumps are used in Actel FPGAs to bias the transistors (high voltage n- 
channel FETs) that isolate modules of the logic and I/O cells during programming 
and connect them in normal operation. The pump produces a voltage higher than 
V cc to ensure that the FETs are fully on and can pass a logic f l f . Since the 
pump takes a finite time to ramp up and turn on the FETs, the device may not 
behave properly until the pump is up and the system is stable. This amount of 
time is a function of the device model, its particular lot and unit, radiation 
degradation and annealing time, and slew rate of the power supply, among other 
factors. 
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Additionally, test results show that the startup characteristics are also a 
function of the device’s recent history. In particular, the amount of time 
since the device was last powered down can affect the startup transient. In a 
laboratory test supporting a recent space-flight failure investigation, a set of 
Actel devices (three units each of A1020B and A1020) "glitched" after a cold 
start and the flip-flops of interest powered up to T l T s. After only a brief 
shutdown, glitches were not observed and the flip-flops powered up to the 
opposite state. A complete characterization of this memory effect is difficult 

at best and is not considered practical. 

This behavior is in contrast to full digital CMOS devices, which generally have 
I/O pins that behave well and follow their truth tables at quite a low voltage. 
Currently, some Actel FPGA I/O modules that have been programmed as inputs may 
behave temporarily as outputs that are in the logical T 1 T state and may 
temporarily source current into the drivers connected to them. Device outputs 
are also not guaranteed to follow their truth tables and may source current at 
startup, although they "logically" should be sinking current to produce a logic 
1 0 T , as is frequently used in power-on reset circuits. The time period for the 
startup transient depends on the power supply slew rate and other factors, 
including radiation exposure and annealing. 

The figure below shows the power-up characteristics of a flight spare FPGA. In 
this picture, two of the outputs are shown to first spike high and then latch 
into the high state; subsequently a clock pulse would correctly clear the flip- 
flop. Following power cycles would not re-produce this behavior and both 
outputs would remain low with no glitches. After hours in the powered-off 
state, the glitches would return and the outputs would latch high. 

Interestingly, after a power on-off cycle, the voltage was ramped at the very 
low rate of just under 1 volt/sec. This produced both glitches and the outputs 
were latched high (waveforms not shown) . 
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Figure 1. Power-on transient of a space-qualified A1020 (2.0 pm) after 24 hours 

off. The power supply rise time was approximately 20 msec. Horizontal scale is 
5 msec per division and vertical scale is 2 volts per division; it would not 
repeat after rapid power on-off cycles. 



Actel FPGAs, as do some other manufacturer’s devices, need time to ’start’ and 
care must be exercised for any critical spacecraft function implemented with 
FPGAs (or other components such as oscillators) . This is a real problem and 
analysis of system startup is critical. In particular, here are some examples 
of system level failures: 

• A motor controller FPGA powered up with all outputs high, resulting in high 
currents, ultimately blowing the fuses in the power supply. 

• An instrument controller FPGA powered up in an illegal configuration, 
forcing latching relays into an undesired state. 

• A pyrotechnic controller FPGA had only a synchronous reset function and did 
not gate the outputs of the device during the power-on transient. A 
combination of these effects resulted in pyrotechnic devices firing at an 
inappropriate time. 
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SUGGESTED DESIGN RULES FOR ACTEL FPGAs: 

Any design that directly connects the inputs or outputs of currently available 
Actel FPGAs to critical spacecraft controls could result in hardware that 
malfunctions on power-up without any failure of the FPGA. Some precautions that 
may be taken include: 

1. Do not attach an FPGA input to the analog part of a power-on reset 
circuit . 

2. Buffer and isolate the FPGA outputs from any critical spacecraft controls 
that require proper operation during the startup transient. 

3. Provide appropriate error detection/correction/fail-safe and isolation 
schemes for applications that require tolerance to single point failures . 
For certain reliability levels, this may require putting redundant 
functions in separate IC packages, as is frequently done with discrete 
device designs. 

Two relevant Actel application notes have been put on-line at the author of this 
Advisory's WWW site and may be accessed by the following links: 

http : //rk . gsf c . nasa . gov/richcontent /fpga_content /DesignNotes/ 
BoardLevelConsiderationsForActelFPGAs .pdf 

http : //rk . gsf c . nasa . gov/richcontent/ fpga_content/DesignNotes/PowerOnReset . pdf 


FOR FURTHER INFORMATION: 


Please submit questions or comments regarding this NASA Parts Advisory to: 

Rich Katz 

NASA Goddard Space Flight Center 
Code 564 
301 286-9705 
301 286-1768 fax 
Richard . B . Katz . l@gsf c . nasa . gov 








